Network Connections Event Log

Network Connection Monitoring: A Critical Step in Threat Detection

Monitoring network connections is essential for identifying potentially malicious activities such as data exfiltration, command and control (C2) communication, or malware operations. This guide covers how to configure network connection logging and analyze key event logs to enhance your threat detection capabilities.

Configuring Network Connection Audit Logs

To enable detailed network connection monitoring, follow these steps:

Enable Audit Filtering Platform Connection

  1. Open Local Group Policy Editor:

    • Search for Edit Group Policy in the Windows search bar.

  2. Navigate to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access > Audit Filtering Platform Connection

  3. Enable Success and Failure Logs:

    • This ensures that both allowed and blocked connections are logged in the Security Event Logs.

Key Event ID: 5156

Event ID 5156 logs detailed information about network connections, including the process initiating the connection and the remote endpoint.

Log Analysis Example

Here’s a sample log of Event ID 5156 captured in the Security Logs:

Event ID: 5156  
A network connection has been allowed.  

Application Name: powershell.exe  
Source Address: 192.168.1.10  
Source Port: 49876  
Destination Address: 13.235.67.159  
Destination Port: 4444  
Protocol: TCP  
Direction: Outbound

Fields Breakdown

Application Name

  • Indicates the process initiating the connection.

  • Example: powershell.exe

    • Red Flag: PowerShell making outbound connections is suspicious, especially to unfamiliar destinations.

Source Address and Port

  • The local system’s IP and port from which the connection originated.

  • Example: 192.168.1.10:49876

Destination Address and Port

  • The remote IP and port to which the connection was made.

  • Example: 13.235.67.159:4444

    • Port 4444: Commonly associated with Meterpreter sessions for remote shells.

Direction

  • Specifies whether the connection is Outbound or Inbound.

  • Example: Outbound

Detecting Malicious Activity

1. Suspicious Processes

Look for processes initiating unusual or unauthorized network connections, such as:

  • powershell.exe

  • cmd.exe

  • wmiprvse.exe

2. Odd Ports

  • High-risk ports:

    • 4444, 1337, or other random high-range ports often used in attacks.

    • Example: Port 4444 is frequently seen in C2 traffic or Meterpreter sessions.

3. Destination Address Reputation

  • Investigate destination IP addresses using threat intelligence platforms:

    • VirusTotal

    • AbuseIPDB

    • Shodan

Example:

  • 13.235.67.159 could belong to legitimate infrastructure but may also serve as an attacker-controlled endpoint.

4. Connection Patterns

  • Multiple outbound connections to uncommon or geographically distant destinations.

  • High-frequency connections to the same IP or domain could indicate:

    • Infostealers

    • Botnet activity

    • C2 communication

Practical Detection Strategy

  1. Identify Key Processes

    • Monitor processes like powershell.exe, svchost.exe, and cmd.exe for network connections.

  2. Use SIEM Alerts

    • Set up alerts for Event ID 5156 under these conditions:

      • High-risk ports (e.g., 4444, 1337) are accessed.

      • High-risk processes initiate connections.

      • Known malicious IPs/domains are accessed.

  3. Investigate Suspicious Events

    • Correlate Event ID 5156 with other log data (process creation logs, DNS queries) to build a timeline of suspicious activity.

Key Points

By monitoring Event ID 5156, security analysts can gain critical insights into the network behavior of processes. This enables:

  • Early detection of suspicious activities such as malware communication and C2 traffic.

  • Rapid response to potential incidents.

  • Enhanced visibility into the network, ensuring comprehensive threat hunting.

Integrating these logs into a SIEM platform allows for real-time monitoring, alerting, and advanced correlation, empowering your security operations to stay ahead of threats.

PreviousBITS Client Event LogNextMSI Event Logs

Last updated